Date: Mon, 5 Mar 2001 14:10:36 -0700 From: Elias Levy <aleph1@SECURITYFOCUS.COM> Subject: Re: Loopback and multi-homed routing flaw in TCP/IP stack. To: BUGTRAQ@SECURITYFOCUS.COM A flaw in the standard not on the stack. RFC 1122 "Requirements for Internet Hosts -- Communication Layers" covers this issue although without pointing out its security consequences. >From section 3.3.4.2 Multihoming Requirements: There are two key requirement issues related to multihoming: (A) A host MAY silently discard an incoming datagram whose destination address does not correspond to the physical interface through which it is received. (B) A host MAY restrict itself to sending (non-source- routed) IP datagrams only through the physical interface that corresponds to the IP source address of the datagrams. DISCUSSION: Internet host implementors have used two different conceptual models for multihoming, briefly summarized in the following discussion. This document takes no stand on which model is preferred; each seems to have a place. This ambivalence is reflected in the issues (A) and (B) being optional. o Strong ES Model The Strong ES (End System, i.e., host) model emphasizes the host/gateway (ES/IS) distinction, and would therefore substitute MUST for MAY in issues (A) and (B) above. It tends to model a multihomed host as a set of logical hosts within the same physical host. With respect to (A), proponents of the Strong ES model note that automatic Internet routing mechanisms could not route a datagram to a physical interface that did not correspond to the destination address. Under the Strong ES model, the route computation for an outgoing datagram is the mapping: route(src IP addr, dest IP addr, TOS) -> gateway Here the source address is included as a parameter in order to select a gateway that is directly reachable on the corresponding physical interface. Note that this model logically requires that in general there be at least one default gateway, and preferably multiple defaults, for each IP source address. o Weak ES Model This view de-emphasizes the ES/IS distinction, and would therefore substitute MUST NOT for MAY in issues (A) and (B). This model may be the more natural one for hosts that wiretap gateway routing protocols, and is necessary for hosts that have embedded gateway functionality. The Weak ES Model may cause the Redirect mechanism to fail. If a datagram is sent out a physical interface that does not correspond to the destination address, the first-hop gateway will not realize when it needs to send a Redirect. On the other hand, if the host has embedded gateway functionality, then it has routing information without listening to Redirects. In the Weak ES model, the route computation for an outgoing datagram is the mapping: route(dest IP addr, TOS) -> gateway, interface Its obvious that host that implement the Weak ES model are the ones vulnerable, while hosts that implement the Strong ES model are not. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum